From: Jason Wang Date: Wed, 24 Feb 2021 13:45:28 +0800 Subject: e1000: fail early for evil descriptor Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8 References: bsc#1182577, CVE-2021-20257 During procss_tx_desc(), driver can try to chain data descriptor with legacy descriptor, when will lead underflow for the following calculation in process_tx_desc() for bytes: if (tp->size + bytes > msh) bytes = msh - tp->size; This will lead a infinite loop. So check and fail early if tp->size if greater or equal to msh. Reported-by: Alexander Bulekov Reported-by: Cheolwoo Myung Reported-by: Ruhr-University Bochum Cc: Prasad J Pandit Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang Signed-off-by: Bruce Rogers --- hw/net/e1000.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index d7d05ae30afafb2e7979c74564a6..02a446b89bae0dec0acdefa54760 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) msh = tp->tso_props.hdr_len + tp->tso_props.mss; do { bytes = split_size; + if (tp->size >= msh) { + goto eop; + } if (tp->size + bytes > msh) bytes = msh - tp->size; @@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) tp->size += split_size; } +eop: if (!(txd_lower & E1000_TXD_CMD_EOP)) return; if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {